Posts by Alan David Foster

6 min Metasploit

Metasploit Weekly Wrap-Up 11/01/2024

Pool Party Windows Process Injection This Metasploit-Framework release includes a new injection technique deployed on core Meterpreter functionalities such as process migration and DLL Injection. The research of a new injection technique known as PoolParty [https://www.safebreach.com/blog/process-injection-using-windows-thread-pools/] highlighted new ways to gain code execution on a remote process by abusing Thread-Pool management features included on Windows kernel starting from Windows Vista.

1 min Metasploit

Metasploit Weekly Wrap-Up 08/23/2024

New module content (3) Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276) Authors: Michael Heinzl and Tenable Type: Auxiliary Pull request: #19373 [https://github.com/rapid7/metasploit-framework/pull/19373] contributed by h4x-x0r [https://github.com/h4x-x0r] Path: admin/http/fortra_filecatalyst_workflow_sqli AttackerKB reference: CVE-2024-5276 [https://attackerkb.com/search?q=CVE-2024-5276&referrer=blog] Description: This adds an auxiliary module to exploit the CVE-2024-5276, a SQL inj

3 min Metasploit

Metasploit Weekly Wrap-Up 06/14/2024

New module content (5) Telerik Report Server Auth Bypass Authors: SinSinology and Spencer McIntyre Type: Auxiliary Pull request: #19242 [https://github.com/rapid7/metasploit-framework/pull/19242] contributed by zeroSteiner [https://github.com/zeroSteiner] Path: scanner/http/telerik_report_server_auth_bypass AttackerKB reference: CVE-2024-4358 [https://attackerkb.com/search?q=CVE-2024-4358?referrer=blog] Description: This adds an exploit for CVE-2024-4358 which is an authentication bypass in Te

3 min Metasploit

Metasploit Weekly Wrap-Up 04/05/2024

New ESC4 Templates for AD CS Metasploit added capabilities [https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/attacking-ad-cs-esc-vulnerabilities.html] for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write certificate template objects. This facilitates the exploitation of ESC4 which is a misconfiguration in

5 min Metasploit

Metasploit Weekly Wrap-Up 01/26/24

Direct Syscalls Support for Windows Meterpreter Direct system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do so is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Direct syscalls are a way to run system calls directly and enter kernel

2 min Metasploit

Metasploit Wrap-Up

This week’s Metasploit release contains 2 new modules released as part of the Rapid7 F5 BIG-IP and iControl REST Vulnerabilities research article.

3 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 29, 2023

TeamCity authentication bypass and remote code execution This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-4279

5 min Metasploit

Metasploit Weekly Wrap-Up: Jun. 16, 2023

Metasploit T-Shirt Design Contest In honor of Metasploit's 20th anniversary, Rapid7 is launching special edition t-shirts - and we're inviting members of our community to have a hand in its creation. The contest winner will have their design featured on the shirts, which will then be available to pick up at Black Hat 2023. We will be accepting submissions from now through June 30! Contest details, design guidelines, and submission instructions here [https://docs.google.com/forms/d/e/1FAIpQLSeWU

4 min Metasploit

Metasploit Wrap-Up: May 12, 2023

New modules for Zyxel Router RCE, Pentaho Business Server Auth Bypass, ManageEngine ADAudit authenticated file write RCE, and HTTPTrace functionality added to scanner modules

7 min Metasploit

Metasploit Weekly Wrap-Up: Mar. 31, 2023

5 new modules including Windows 11 WinSock Priv Esc, SolarWinds Information Service (SWIS) RCE and AMQP Support

13 min Metasploit

Metasploit Framework 6.3 Released

Metasploit Framework 6.3 is now available. New features include native Kerberos authentication support, streamlined Active Directory attack workflows (AD CS, AD DS), and new modules that request, forge, and convert tickets between formats.

3 min Metasploit

Metasploit Weekly Wrap-Up: 11/11/22

ADCS - ESC Vulnerable certificate template finder Our very own Grant Willcox has developed a new module which allows users to query a LDAP server for vulnerable Active Directory Certificate Services (AD CS) certificate templates. The module will print the detected certificate details, and the attack it is susceptible to. This module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates. Example module output showing an identified vulnerable certificate template: msf6 auxiliar

3 min Metasploit

Metasploit Wrap-Up: 8/19/22

Advantech iView NetworkServlet Command Injection This week Shelby Pace [https://github.com/space-r7] has developed a new exploit module for CVE-2022-2143 [https://attackerkb.com/topics/XYFOEYsgKa/cve-2022-2143?referrer=blog]. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below 5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access

9 min Metasploit

Announcing Metasploit 6.2

Metasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes.

4 min Metasploit

Metasploit Weekly Wrap-Up: 5/27/22

PetitPotam Improvements Metasploit’s Ruby support has been updated to allow anonymous authentication to SMB servers. This is notably useful while exploiting the PetitPotam vulnerability with Metasploit, which can be used to coerce a Domain Controller to send an authentication attempt over SMB to other machines via MS-EFSRPC methods: msf6 auxiliary(scanner/dcerpc/petitpotam) > run 192.168.159.10 [*] 192.168.159.10:445 - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.159